Security

4 Tips to Manage Shadow IT's Impact in Healthcare

It’s not uncommon for employees to find IT work-arounds. Here’s how IT teams can keep an eye on potential security risks.

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Shadow IT — software and hardware that run outside of normal IT channels — exists in every organization. Healthcare is no exception, but the special sensitivity to disclosure, loss or abuse of protected health information makes shadow IT a notable risk.

Here are key tips for coping with shadow IT and transforming it to your advantage.

Click the banner below to explore zero trust and its benefits for healthcare.

1. Partner with Other Departments Instead of Blocking Them

Shadow IT exists for a reason: IT departments can be slow and their requirements burdensome when others just want to get work done. Shadow IT projects are often innovative and usually implemented very quickly. IT teams should focus on why specific cases of shadow IT happen and try to be a partner rather than a naysayer. Work to understand the problem to be solved. Then prioritize a solution and become part of the team. Make the contribution needed to ensure that IT’s security concerns and operational requirements are satisfied, and let the shadow IT team do their own thing otherwise.

2. Set Priorities: Deal with Real Security Risks

Not every shadow IT project puts protected health information at risk or threatens compliance. Manage the risk where appropriate and back off when shadow IT doesn’t present a true risk to the organization. Identify the most critical IT policies and make sure that everyone knows what the red lines are — the ones that cannot be crossed without jeopardizing patient privacy and compliance auditing. Offer education and training on how to meet general security requirements and, if possible, extend access to services such as single sign-on or secure web proxies. If there’s no real risk, don’t get in the way of an agile and innovative project.

UP NEXT: Learn how to avoid becoming the bait of a phishing email.

3. Make Shadow IT a Force Multiplier

Shadow IT is someone else doing IT’s job for them. Let that happen. When a project is up and running, you’ve gained in-house knowledge and expertise with a minimum use of IT team resources. Leverage that experience and build on it. Successful shadow IT projects often grow their scope or user base over time, and when that happens, the shadow teams are usually happy to hand over a project to production IT. Consider that a gift of time and effort, even if it’s not exactly how you would have done it.

4. Monitor and Manage Shadow IT from a Distance

Knowing where shadow IT exists isn’t easy, especially with cloud-based solutions. A combination of network monitoring and cost controls will help identify the who and where. Once you’ve found shadow IT in operation, track it and make sure you know its scope and timelines. Keep in contact with the team running the shadow IT project, and ask for status updates, documentation and lines of responsibility. Shadow IT shouldn’t be permanent; if it looks to be an ongoing project, negotiate for integration into production IT processes for vulnerability management, resource planning and upgrades, and business continuity.

Greg Mably/Theispot